Jose M Calhariz: > Hi, > > I am investigating why I can turn off the lintian information > hardening-no-fortify-functions. In the beginning of my debian/rules I > have: > > export DEB_BUILD_MAINT_OPTIONS=hardening=+all > > What I am doing wrong? > How can I debug if the hardening is really on the binaries? > > The complete lintian messages from at package is: > > lintian -I --pedantic at_3.1.20-1_amd64.changes > P: at source: debian-watch-may-check-gpg-signature > I: at: hardening-no-fortify-functions usr/bin/at > I: at: hardening-no-fortify-functions usr/sbin/atd > N: 4 tags overridden (4 warnings) > >
Hi Jose, Please verify that the CPPFLAGS are passed to the compiler (a lot of build systems fail to pass exactly CPPFLAGS on). The general recommendation is to use "blhc" for this purpose. If you pass CPPFLAGS on correctly, then there is nothing more you can do. There are some known false-positives (the actual tool checking is "hardening-check"), which cannot be fixed. You may want to override the tags if this is the case. Thanks, ~Niels
